Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ChakraCore servicing update for August, 2019 #6243

Merged
merged 8 commits into from
Aug 13, 2019
Merged

ChakraCore servicing update for August, 2019 #6243

merged 8 commits into from
Aug 13, 2019

Conversation

wyrichte
Copy link
Collaborator

This release addresses the following issues:
CVE-2019-1197
CVE-2019-1141
CVE-2019-1196
CVE-2019-1139
CVE-2019-1131
CVE-2019-1195

@akroshg @wyrichte
[CVE-2019-1141] Chakra JIT Type Confusion
329d9d2 
During the loop prepass the index variable is not fully constructed, so we can't rely it being negative
So we need to kiil the object type.
@wyrichte wyrichte changed the title Update version to 1.11.12 ChakraCore servicing update for August, 2019 Aug 13, 2019
MikeHolman and others added 7 commits August 13, 2019 08:48
@MikeHolman @wyrichte
[CVE-2019-1197] Chakra JIT Type Confusion
bf52b6c
@boingoing @wyrichte
[CVE-2019-1131] Chakra Type confusion
242c59e
@boingoing @wyrichte
[CVE-2019-1196] Chakra Builtins Function Type Confusion
dce7443
@akroshg @wyrichte
[CVE-2019-1139] Chakra JIT Type Confusion
ae8a8d9 
array.slice converts the native array to var array which was not captured during the optimization.
Due to that the native array type is forced to var array which leads to the type confusion.
Fixed this by killing the object type for the slice (as well as concat)
@pleath @wyrichte
[CVE-2019-1195] Chakra Type Confusion RCE
c70af48
@akroshg @wyrichte
Handling exception while GetJSONObject in script debugger.
797ddb0 
During GetChildren phase when we try to build JSON object we might throw exception. That skipped calling .Detach on the AutoPtr - which leads to release
the debugger property again.
Fixed that by catching and discarding the exception.
@wyrichte
Update version to 1.11.12
450a349
@chakrabot chakrabot merged commit 450a349 into chakra-core:release/1.11 Aug 13, 2019
chakrabot pushed a commit that referenced this pull request Aug 13, 2019
@wyrichte
[MERGE #6243 @wyrichte] ChakraCore servicing update for August, 2019
6b1250b 
Merge pull request #6243 from wyrichte:gh_servicing_1908

This release addresses the following issues:
CVE-2019-1197
CVE-2019-1141
CVE-2019-1196
CVE-2019-1139
CVE-2019-1131
CVE-2019-1195
chakrabot pushed a commit that referenced this pull request Aug 14, 2019
@wyrichte
[1.11>master] [MERGE #6243 @wyrichte] ChakraCore servicing update for…
b5e4874 
… August, 2019

Merge pull request #6243 from wyrichte:gh_servicing_1908

This release addresses the following issues:
CVE-2019-1197
CVE-2019-1141
CVE-2019-1196
CVE-2019-1139
CVE-2019-1131
CVE-2019-1195
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zenparsing zenparsing zenparsing left review comments

@boingoing boingoing boingoing approved these changes

@MikeHolman MikeHolman MikeHolman approved these changes

@pleath pleath pleath approved these changes

@akroshg akroshg Awaiting requested review from akroshg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@wyrichte @boingoing @MikeHolman @zenparsing @pleath @chakrabot @akroshg